Release Information
- Release Type
- Security Update
- Release Status
- Latest Release in 8.3
- Branch Status
- Supported
Latest release for PHP 8.3. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.3 continues to receive bug fixes and security fixes until 2025-12-31.
Downloads
Source Code
Git Clone
Use Git to clone the 8.3.20 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.3.20How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf), configuring the build ./configure, and running make.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.3.20-x64NTS.zip (30.7 MiB)
php-8.3.20-x86NTS.zip (27.56 MiB)
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.3.20-x64TS.zip (30.84 MiB)
php-8.3.20-x86TS.zip (27.54 MiB)
Docker/Podman Containers
PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.3.20-cli-alpineDebian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.3.20-cliPHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.3.20-fpm-alpineDebian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.3.20-apacheDebian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.3.20-fpmChangeLog
Core
- Fixed bug GH-17961 (use-after-free during dl()'ed module class destruction).
- Fixed bug GH-15367 (dl() of module with aliased class crashes in shutdown).
- Fixed bug GH-13193 again (Significant performance degradation in 'foreach').
DOM
- Fix weird unpack behaviour in DOM.
- Fix xinclude destruction of live attributes.
Embed
- Fixed bug GH-8533 (Unable to link dynamic libphp on Mac).
Fuzzer
- Fixed bug GH-18081 (Memory leaks in error paths of fuzzer SAPI).
GD
- Fixed bug GH-17984 (calls with arguments as array with references).
Intl
- Fix locale_compose and locale_lookup to work with their array argument with values as references.
- Fix dateformat_format when the time is an array of references.
- Fix
UConverter::transcodewith substitutes as references.
Mbstring
- Fixed bug GH-17989 (
mb_output_handlercrash with unset http_output_conv_mimetypes).
Opcache
- Fixed bug GH-18112 (NULL access with preloading and INI option).
- Fixed bug GH-18107 (Opcache CFG jmp optimization with try-finally breaks the exception table).
PDO
- Fix memory leak when destroying PDORow.
SOAP
- Fixed bug #66049 (Typemap can break parsing in parse_packet_soap leading to a segfault) .
SPL
- Fixed bug GH-18018 (RC1 data returned from offsetGet causes UAF in ArrayObject).
Treewide
- Fixed bug GH-17736 (Assertion failure
zend_reference_destroy()).
Windows
- Fixed bug GH-17836 (
zend_vm_gen.phpshouldn't break on Windows line endings).
Commit List
Arnaud Le Blanc
- Destroy temporary module classes in reverse order in 1c182674b0
- Disable
ZEND_RC_MOD_CHECK()while loading shared extension in FPM in c531f3d79b
Calvin Buckley
- Attempt at ppc64 CI in GH-17945
- Skip mysqli/tests/bug73462 on PPC CI in GH-17971
- Remove "Notify Slack" on ppc nightly workflow in GH-17993
Daniel Scherzer
- Fix GH-17836:
zend_vm_gen.phpshouldn't break on Windows line endings in fa3c1c81d5
David Carlier
- Fix GH-17921 socket_read/socket_recv overflows on buffer size in 8cbc0c57b7
- Fix GH-17984: gd calls with array arguments in 07ceadf7d9
ext/intl: fix locale_compose/locale_lookup to be able to deal with references in c3fc94c4b8ext/intl: Fix dateformat_format when the time is an array of references in f34859cb90ext/intl: FixUconverter::transcodewith substitutes as references in 005c7b5797
Derick Rethans
- Updated to version 2025.2 (2025b) in 0c8a7a77a8
Eric Mann
- Fix NEWS versions for posterity in 175b962f55
Ilija Tovilo
- Upgrade i386 branch to Ubuntu 22.04 in 294888053a
- Fix flaky DatePeriod test in 8a699372f2
- Upgrade security branches to Ubuntu 22.04 in 5fcc8d4cd1
- Suppress snmp lib memory leak, skip ASAN tests in b0858427aa
- Increase CircleCI no_output_timeout in ee7fcf2a07
- Use-after-free for ??= due to incorrect live-range calculation in ef2c459941
- Fix flaky connection count in mysqli test in 00ebd2d7f2
- Backport intl test changes for ICU 77 in d4c548cf42
Jakub Zelenka
- Change openssl_x509_verify test to use cert generator in GH-17882
- Fix GHSA-ghsa-v8xr-gpvj-cx9g: http header folding in d20b4c97a9
- Fix GHSA-pcmh-g36c-qc44: http headers without colon in 0548c4c175
- Fix GHSA-52jp-hrpf-2jff: http redirect location truncation in ac1a054bb3
- Fix GHSA-hgf5-96fm-v528: http user header check of crlf in 41d49abbd9
- Update NEWS with entries for security fixes in 74d548bf58
- Fix typo in GHSA-hgf5-96fm-v528 NEWS entry in 70c2ebb698
- Get rid of atime change testing in
bug72666_variation3.phptin bd7d3c38ad - Update versions for PHP 8.3.20 in 324861bdc2
Katherine456719
- Fix GH-18082: Memory leaks in fuzzer SAPI error paths in 38e553e418
Kévin Dunglas
- fix GH-8533: dynamic libphp linking on Mac in 009b5e2bfd
Niels Dossche
- Fix branch target in
zend_jit_push_call_frame()in GH-17949 - Fix GH-17736: Assertion failure
zend_reference_destroy()in ce8ab5f16a - Fix GH-17938: UAF with
zend_testopline observer and magic_quotes_gpc=1 in GH-17958 - Fix uninitialized memory accesses in DOM iterator in 2634622d3d
- Fix GH-17989:
mb_output_handlercrash with unset http_output_conv_mimetypes in c7d3dc6fab - Fix weird unpack behaviour in DOM in 9be9f70caa
- Fix tests for libxml2 2.14 in f209eb448e
- Fix test GH-16535 for libxml2 2.14 in b5471300d2
- Fix GHSA-wg4p-4hqh-c3g9 in 0e715e71d9
- Fix GH-18018: RC1 data returned from offsetGet causes UAF in ArrayObject in 27affd8da1
- Correct check for maximum string length in JIT helpers in a7d2703246
- Fix xinclude destruction of live attributes in d9329b1522
- Fix GH-18112: NULL access with preloading and INI option in e9c0296240
- Fix memory leak when destroying PDORow in 2dde07af55
- Fixed bug GH-13193 again in 447d143b9d
- Fix GH-18107: Opcache CFG jmp optimization with try-finally breaks the exception table in 2ec8d37eb4
- Fix intl tests for icu 77 in GH-18125
Remi Collet
- Relax test expectation for pcre2lib 10.45 Using e9284878 in 69480be12a
- Fix #66049 Typemap can break parsing in parse_packet_soap leading to a segfault in 209f4c296e
- NEWS for #66049 in 7e6a36889c
Tim Düsterhus
- Fix GHSA-p3x9-6h7p-cgfc: libxml streams wrong
content-typeon redirect in b6004a043c